Skip to content

Commit 425af16

Browse files
CBL-Mariner-Botazurelinux-securityKshitiz Godara
authored
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch libinput for CVE-2026-50292 [HIGH] - branch 3.0-dev" microsoft#17646
Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> Co-authored-by: Kshitiz Godara <kgodara@microsoft.com>
1 parent edbe92e commit 425af16

2 files changed

Lines changed: 120 additions & 2 deletions

File tree

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
From 9ef7fa46ccf201dedbd657436103c88e86e8cdd2 Mon Sep 17 00:00:00 2001
2+
From: Peter Hutterer <peter.hutterer@who-t.net>
3+
Date: Sat, 6 Jun 2026 12:35:26 +0000
4+
Subject: [PATCH] libinput-device-group: sanitize phys before printing it
5+
6+
A malicious uinput device could set the phys value (via UI_SET_PHYS)
7+
to contain a '\n'. When the value is printed as part of the device group
8+
the udev rules will interpret it as separate property.
9+
10+
Depending on the property this can cause local privilege escalation.
11+
12+
Closes #1296
13+
14+
Found-by: Csome
15+
(cherry picked from commit 76f0d8a7f57e2868882864b4611281f12f704b55)
16+
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
17+
Upstream-reference: AI Backport of https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b.patch
18+
---
19+
udev/libinput-device-group.c | 34 ++++++++++++++++++++++++++++------
20+
1 file changed, 28 insertions(+), 6 deletions(-)
21+
22+
diff --git a/udev/libinput-device-group.c b/udev/libinput-device-group.c
23+
index 3da904e0..a376872b 100644
24+
--- a/udev/libinput-device-group.c
25+
+++ b/udev/libinput-device-group.c
26+
@@ -30,6 +30,24 @@
27+
28+
#include "libinput-util.h"
29+
30+
+/**
31+
+ * Return a sanitized copy of the phys string with control characters
32+
+ * replaced to prevent newline injection in udev properties.
33+
+ */
34+
+static char *
35+
+sanitize_phys(const char *phys)
36+
+{
37+
+ if (!phys)
38+
+ return NULL;
39+
+
40+
+ char *s = safe_strdup(phys);
41+
+ for (char *p = s; *p; p++) {
42+
+ if ((unsigned char)*p < 0x20 || *p == 0x7f)
43+
+ *p = '?';
44+
+ }
45+
+ return s;
46+
+}
47+
+
48+
#if HAVE_LIBWACOM
49+
#include <libwacom/libwacom.h>
50+
51+
@@ -109,7 +127,8 @@ wacom_handle_ekr(struct udev_device *device,
52+
53+
udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) {
54+
struct udev_device *d;
55+
- const char *path, *phys;
56+
+ char *phys = NULL;
57+
+ const char *path;
58+
const char *pidstr, *vidstr;
59+
int pid, vid, dist;
60+
61+
@@ -124,7 +143,7 @@ wacom_handle_ekr(struct udev_device *device,
62+
63+
vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID");
64+
pidstr = udev_device_get_property_value(d, "ID_MODEL_ID");
65+
- phys = udev_device_get_sysattr_value(d, "phys");
66+
+ phys = sanitize_phys(udev_device_get_sysattr_value(d, "phys"));
67+
68+
if (vidstr && pidstr && phys &&
69+
safe_atoi_base(vidstr, &vid, 16) &&
70+
@@ -138,10 +157,12 @@ wacom_handle_ekr(struct udev_device *device,
71+
best_dist = dist;
72+
73+
free(*phys_attr);
74+
- *phys_attr = safe_strdup(phys);
75+
+ *phys_attr = phys;
76+
+ phys = NULL;
77+
}
78+
}
79+
80+
+ free(phys);
81+
udev_device_unref(d);
82+
}
83+
84+
@@ -154,8 +175,8 @@ int main(int argc, char **argv)
85+
int rc = 1;
86+
struct udev *udev = NULL;
87+
struct udev_device *device = NULL;
88+
- const char *syspath,
89+
- *phys = NULL;
90+
+ const char *syspath;
91+
+ char *phys = NULL;
92+
const char *product;
93+
int bustype, vendor_id, product_id, version;
94+
char group[1024];
95+
@@ -180,7 +201,7 @@ int main(int argc, char **argv)
96+
while (device != NULL) {
97+
struct udev_device *parent;
98+
99+
- phys = udev_device_get_sysattr_value(device, "phys");
100+
+ phys = sanitize_phys(udev_device_get_sysattr_value(device, "phys"));
101+
if (phys)
102+
break;
103+
104+
@@ -251,6 +272,7 @@ int main(int argc, char **argv)
105+
106+
rc = 0;
107+
out:
108+
+ free(phys);
109+
if (device)
110+
udev_device_unref(device);
111+
if (udev)
112+
--
113+
2.45.4
114+

SPECS/libinput/libinput.spec

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,13 @@
33
Summary: Input device library
44
Name: libinput
55
Version: 1.25.0
6-
Release: 1%{?dist}
6+
Release: 2%{?dist}
77
License: MIT
88
Vendor: Microsoft Corporation
99
Distribution: Azure Linux
1010
URL: https://www.freedesktop.org/wiki/Software/libinput/
1111
Source0: https://gitlab.freedesktop.org/libinput/libinput/-/archive/%{version}/%{name}-%{version}.tar.bz2
12+
Patch0: CVE-2026-50292.patch
1213

1314
BuildRequires: check
1415
BuildRequires: gcc
@@ -48,7 +49,7 @@ The %{name}-test package contains the libinput test suite. It is not
4849
intended to be run by users.
4950

5051
%prep
51-
%autosetup
52+
%autosetup -p1
5253

5354
%build
5455
%meson -Ddebug-gui=false \
@@ -104,6 +105,9 @@ find %{buildroot}/%{_mandir}/man1 -type f -regextype posix-egrep -regex "$UTILS_
104105
%{_mandir}/man1/libinput-test-suite.1*
105106

106107
%changelog
108+
* Fri Jun 05 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.25.0-2
109+
- Patch for CVE-2026-50292
110+
107111
* Thu Feb 08 2024 Rohit Rawat <rohitrawat@microsoft.com> - 1.25.0-1
108112
- Upgrade to 1.25.0
109113

0 commit comments

Comments
 (0)